WordPress Plugin Vulnerabilities

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid < 7.7.0 - Missing Authorization

Description

The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions.

Affects Plugins

Plugin icon
the-post-grid
Fixed in 7.7.0

References

CVE
CVE-2024-3936
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Pavel Palii
Verified
No
WPVDB ID
56f0803c-4595-47d8-903d-eb6d04cc29cf

Timeline

Publicly Published
2024-04-30 (about 2 years ago)
Added
2024-04-30 (about 2 years ago)
Last Updated
2024-04-30 (about 2 years ago)

Other

Published
Title
Published
2024-09-04
Title
Geo Controller < 8.7.4 - Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deletion
Published
2025-04-07
Title
Motors – Car Dealership & Classified Listings Plugin < 1.4.65 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Published
2026-03-01
Title
VW Education Lite < 2.2.1 - Missing Authorization
Published
2024-12-18
Title
WP SuperBackup < 2.4 - Missing Authorization to Unauthenticated Back-Up File Download
Published
2025-05-16
Title
Push notification for Mobile and Web app < 2.0.4 - Missing Authorization